Announcement

Collapse
No announcement yet.

Active Directory-integrated DNS question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory-integrated DNS question

    Hi all,

    I have 2 server running Windows 2000 and both are using Active Directory-integrated DNS.

    ServerA is the DC for DomainA (domain.net). ServerB is the DC for DomainB (subdown.domain.net).

    Since both DNS servers have the DNS details both the domain and subdomain, I decided to get the DHCP server to supply the IP address for ServerB as the PDNS entry. I also use the DDNS functionality as 99% of our workstations are a mixture of Windows 2000 and Windows XP.

    This seems to be working fine, but today I suspected that I am missing something.

    I went to the DNS console on ServerB and deleted a hardcoded entry for an old linux box which I discontinued (no problem here).
    But when I went to ServerA 5 minutes later, I noticed that the entry I just deleted on ServerB still existed on ServerA! Also I noticed that a "new" computer's DNS entry only appears in the DNS console on ServerB but not in the DNS console on ServerA, yet I can still ping the DNS name for the "new" computer from the ServerA console. (The "new" computer had been on the network for 3 to 4 hours already.)

    Am I missing something here?

    How can I get the entries in the DNS consoles on the 2 servers to be synchronised? Or have I stuffed up my setup somehow?

  • #2
    Is replication between the 2 DCs working properly ?

    run dcdiag on both servers and search for any replication errors.
    Normally, changes in AD should be replicated within 5 mins in the same site, when the replication is working correctly.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Active Directory-integrated DNS question...

      Well the SMTP Service was stopped and set to manual on ServerA. Oh Wild! So I set it to automatic and started it.

      I is when I also noticed something funny actually.

      I had only changed the DNS to be Active Directory-integrated the day before I made the original posting and while skimming through the Directory Service Event Logs, I came across something funny.

      ServerB is essentially a replacement for ServerC and ServerD (both which I just retired). 2 events in the Directory Service Event Logs said that for both ServerA and ServerB, no object existed for inbound connection for ServerC and that it would no longer be replicating from it! ServerC was previously hold all but the global catalog and I had move all of the required roles to ServerB before demoting the server.
      What would the implications be if I just removed the entries for ServerC and ServerD if I just removed in the Active Directory Sites and Services console?

      Comment


      • #4
        > Since both DNS servers have the DNS details both the domain and subdomain

        > how can I get the entries in the DNS consoles on the 2 servers to be synchronised?

        I wonder how you got the zones to appear in both DNS servers. You cannot do with AD integrated DNS in your case, since you are running W2000. This limits zone replication to the domain, and since you have two of them ...

        > Or have I stuffed up my setup somehow?

        Maybe Main question: how did you connect the two DNS servers? The only way seems to be a primary/secondary construction, but you are not mentioning it. So if you could give a bit more detail we could try to help out.

        Comment


        • #5
          Originally posted by wkasdo
          You cannot do with AD integrated DNS in your case, since you are running W2000. This limits zone replication to the domain, and since you have two of them ...
          Nice catch ! Totally missed that part.
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Yeah, I did leave a little information out - apologies for that.

            At the moment, there aren't any replications errors that I can see and dcdiag reports all A OK and dcdiag reports all A OK.

            Up until the day before the original posting, I had ServerB and Primary and ServerA as Secondary before I moved it to Active Directory-integrated.

            ServerB manages the DNS for both domain.net and subdomain.domain.net and since ServerA is just the Secondary and pulls the zone information from the Primary, I guess it would also manage both then.
            Subdomain.domain.net appears as a folder in the domain.net zone. During the installation of ServerB, the setup did something to the equivalent of going to the domain.net zone in the DNS Console, right-clicking on domain.net and selecting New Domain (at least that pretty much from what I can see that it did, maybe I'm wrong).

            ServerA and ServerB manage/control 2 seperate Windows "domains" as well.

            My understanding of DNS and AD is still very limited so I'm not too clear here.
            Are you saying what with W2k, if you have a domain and subdomain, you cannot have it as Active Directory-integrated as W2k is not designed to cater for this type of scenario? Is this functionality in W2k3?

            I suppose ultimately the guestion that I have to really should asking is: What are the benefits of using the Active Directory-integrated "model" over the Primary/Secondary "model"?

            Comment


            • #7
              > Are you saying what with W2k, if you have a domain and subdomain, you cannot have it as Active Directory-integrated as W2k is not designed to cater for this type of scenario? Is this functionality in W2k3?

              No, that is not what I meant. The w2000 restriction is that zone replication is limited to the domain. That does not mean it is unusable.

              In your situation, I would start with the following.

              1. ServerA hosts zones for domain.net
              2. ServerB hosts zones for subdomain.domain.net.
              3. ServerA has a domain delegation for subdomain.domain.net, so that ServerA can find subdomain.domain.net
              4. ServerB has a DNS forwarder to ServerA, so that it can find domain.net

              Note that all zones can be, and should be, AD integrated. Once you have this running properly you can think about increasing availability of the critical zone _mscds.domain.net. Clients basically cannot log on if that zone is gone. A common solution is to have a secondary zone for that one on ServerB.

              I hope I'm making it clear, if not, ask away!

              Comment


              • #8
                Originally posted by wkasdo
                > In your situation, I would start with the following.

                1. ServerA hosts zones for domain.net
                2. ServerB hosts zones for subdomain.domain.net.
                3. ServerA has a domain delegation for subdomain.domain.net, so that ServerA can find subdomain.domain.net
                4. ServerB has a DNS forwarder to ServerA, so that it can find domain.net
                Okay! I can see what you are suggesting here. Clever! Rather slick actually. Never thought of trying it that way as I have not tried that route before (although I have read about this sort of thing being done.)

                Originally posted by wkasdo
                > Note that all zones can be, and should be, AD integrated. Once you have this running properly you can think about increasing availability of the critical zone _mscds.domain.net. Clients basically cannot log on if that zone is gone. A common solution is to have a secondary zone for that one on ServerB.
                Okay - I'm a little unsure of why this would be good thing? I have no idea what the _mscds.domain.net zone does. But I think I understand a bit of what the goal is, just unsure of the the entire goal and the reasoning behind it.

                Comment


                • #9
                  Sorry - forgot to ask - how does this affect (if at all) cross-domain (Windows domains that is) logins and file/folder/share permissions that cross the Windows domain boundaries?

                  Comment


                  • #10
                    Okay - I'm a little unsure of why this would be good thing? I have no idea what the _mscds.domain.net zone does. But I think I understand a bit of what the goal is, just unsure of the the entire goal and the reasoning behind it.
                    The main point of the exercise it to make sure that all computers can find all other computers.

                    Good question about _msdcs.* zone. It is essential because this zone tells you where the Global Catalogs live, and you need those to log on at all. By design, in W2000 this zone lives in the forest root domain. My suggestion was to replicate this zone (in practice, the entire forest root dns-domani) to the child.

                    Comment

                    Working...
                    X